buildroot
Public
Source
committed 54a94951231xxxxxxxxxxFrom https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-009Signed-off-by: Peter Korsgaard <peter@korsgaard.com> BASH PATCH REPORT =================Bash-Release: 4.4Patch-ID: bash44-009Bug-Reported-by: Hong Cho <hong.cho@citrix.com>Bug-Reference-ID: <c30b5fe62b2543af8297e47ca487c29c@SJCPEX02CL02.citrite.net>Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-12/msg00043.htmlBug-Description:There is a race condition in add_history() that can be triggered by a fatalsignal arriving between the time the history length is updated and the timethe history list update is completed. A later attempt to reference aninvalid history entry can cause a crash.Patch (apply with `patch -p0'):*** bash-4.4-patched/lib/readline/history.c 2016-11-11 13:42:49.000000000 -0500--- b/lib/readline/history.c 2016-12-05 10:37:51.000000000 -0500****************** 280,283 ****--- b/280,284 ---- { HIST_ENTRY *temp;+ int new_length; if (history_stifled && (history_length == history_max_entries))****************** 296,306 **** /* Copy the rest of the entries, moving down one slot. Copy includes trailing NULL. */- #if 0- for (i = 0; i < history_length; i++)- the_history[i] = the_history[i + 1];- #else memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));- #endif history_base++; }--- b/297,303 ---- /* Copy the rest of the entries, moving down one slot. Copy includes trailing NULL. */ memmove (the_history, the_history + 1, history_length * sizeof (HIST_ENTRY *));+ new_length = history_length; history_base++; }****************** 316,320 **** history_size = DEFAULT_HISTORY_INITIAL_SIZE; the_history = (HIST_ENTRY **)xmalloc (history_size * sizeof (HIST_ENTRY *));! history_length = 1; } else--- b/313,317 ---- history_size = DEFAULT_HISTORY_INITIAL_SIZE;